Comments (9)
landley
commented on July 22, 2024
On 08/22/2017 07:16 AM, butterl wrote:
Hi,
we have meet ps segment fault while doing test
|pid: 6149, tid: 6149, name: ps >>> /system/bin/ps <<< signal 11
(SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10 Cause: null pointer
dereference Stack Trace: RELADDR FUNCTION FILE:LINE 0000000000034294
get_threads+228 external/toybox/toys/posix/ps.c:917 000000000000da2c
dirtree_handle_callback+36 external/toybox/lib/dirtree.c:112
000000000000db38 dirtree_recurse+128 external/toybox/lib/dirtree.c:156
000000000000da84 dirtree_handle_callback+124
external/toybox/lib/dirtree.c:115 0000000000033628 ps_main+952
external/toybox/toys/posix/ps.c:1238 000000000001375c toy_exec+104
external/toybox/main.c:166 000000000001330c toybox_main+48
external/toybox/main.c:179 0000000000013818 main+124
external/toybox/main.c:237 |
The ERROR code suspected as blow in get_threads, while in multi-thread ,
passing the parameters of the process is still running, the upper layer
is not stopped, and ran to this function may have been out of the
process, the marked code, will lead to access to empty pointers, causing
crashes.
I also find some one has reported similar question in mailing list
***@***.***/msg03985.html>
Yes, and the fix to that was commit e97aeb6 back in march, which
was in the 0.7.4 release in June.
Do you got any solution to this?
What version are you running? Can you reproduce the issue against the
current tree?
Rob
from toybox.
butterl
commented on July 22, 2024
Hi Rob,
The patch already in the build tree,
the error seems here ,
if (new->child == DIRTREE_ABORTVAL) new->child = 0; ///////<<<<< suspected
....
dt = new->child; ///////<<<<< dt maybe 0
while (dt->child) { ///////<<<<< suspected
new = dt->child->next;
TT.show_process((void *)dt->child->extra);
free(dt->child);
dt->child = new;
}
from toybox.
enh
commented on July 22, 2024
Yes, and the fix to that was commit e97aeb6 back in march
the linked-to mailing list post was from me, reporting that although e97aeb6 reduced the incidence of this down to where i'm not aware of any human seeing ps crashes directly, we're still seeing occasional ones from automated crash reporting.
this is definitely still reproduceable. (as is top crashing if you leave it running long enough; this can be caught in reasonable-ish time frames if you run an asan build rather than a regular build, so it catches the corruption immediately. i've no idea whether these are related, so default to assuming they're not.)
from toybox.
landley
commented on July 22, 2024
On 08/27/2017 02:25 PM, Elliott Hughes wrote:
Yes, and the fix to that was commit e97aeb6
<e97aeb6>
back in march
the linked-to mailing list post was from me, reporting that although
e97aeb6
<e97aeb6>
reduced the incidence of this down to where i'm not aware of any human
seeing ps crashes directly, we're still seeing occasional ones from
automated crash reporting.
He replied and clarified, and I have a window open to remind me to fix it.
Sorry, between the hurricane and $DAYJOB still being in crunch mode the
time I thought I'd spend on toybox this weekend's been mostly eaten by
other things. Lemme try to catch up...
this is definitely still reproduceable. (as is top crashing if you leave
it running long enough; this can be caught in reasonable-ish time frames
if you run an asan build rather than a regular build, so it catches the
corruption immediately. i've no idea whether these are related, so
default to assuming they're not.)
Nah, I'm pretty sure it's a null pointer dereference. Hits the guard
page, crashes on anything with an mmu. :)
Sorry for the slow response...
Rob
from toybox.
butterl
commented on July 22, 2024
Hi Rob,
Seems this race condition will not fix with a simple nullptr checker workaround , do you got any good idea on this?
BRs,
Chao
from toybox.
raymond-wx
commented on July 22, 2024
@landley
Hi Rob,
we also met this issue in our autotest pipe line many times, if this issue get fixed we can avoid lots of noise from autotest pipe.
from toybox.
enh
commented on July 22, 2024
another instance today from automated testing:
pid: 29772, tid: 29772, name: ps >>> ps <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10
x0 0000000000000000 x1 0000000000000000 x2 0000000000000000 x3 0000007ff72069a8
x4 0000007c072d17e7 x5 0000007c0721d07e x6 0000000000000069 x7 0000000000000070
x8 0000000000000000 x9 0000000000000001 x10 0000000000004001 x11 0000000000000000
x12 0000007c076d04b0 x13 00000000fffffffe x14 0000000000000001 x15 0000000000000002
x16 0000007c076ee2c8 x17 0000007c0768bad8 x18 0000007c076f9000 x19 0000007c072350c0
x20 0000000000000000 x21 000000556ae34868 x22 000000556ae31840 x23 00000000000008c5
x24 0000007c07235010 x25 0000000000000000 x26 0000000000000000 x27 0000000000000000
x28 0000000000000000 x29 0000007ff72071a0 x30 000000556ae06f98
sp 0000007ff7207170 pc 000000556ae06fa0 pstate 0000000080000000
Stack Trace:
RELADDR FUNCTION FILE:LINE
0000000000036fa0 get_threads+228 external/toybox/toys/posix/ps.c:920
000000000000db9c dirtree_handle_callback+36 external/toybox/lib/dirtree.c:112
000000000000dca0 dirtree_recurse+120 external/toybox/lib/dirtree.c:156
000000000000dbf4 dirtree_handle_callback+124 external/toybox/lib/dirtree.c:115
0000000000036334 ps_main+952 external/toybox/toys/posix/ps.c:1241
00000000000139b0 toy_exec+92 external/toybox/main.c:166
0000000000013570 toybox_main+48 external/toybox/main.c:179
0000000000013a74 main+120 external/toybox/main.c:237
00000000000a1e08 __libc_init+88 bionic/libc/bionic/libc_init_dynamic.cpp:124
000000000000ccc0 _start_main+80 sfp-exceptions.c:?
from toybox.
landley
commented on July 22, 2024
On 08/31/2017 03:11 PM, Elliott Hughes wrote:
another instance today from automated testing:
Ok, I pushed an attempted fix.
The delay was that I wanted to create a test harness that spawns and
exits a lot of processes while ps or top repeatedly run, and try to
trigger the conditions of the failure (I.E. see the bug myself and then
maybe leave something running overnight to make sure it stays up), but
the _theory_ of what's happening is pretty clear so I can plug one more
hole in the meantime anyway.
Rob
from toybox.
enh
commented on July 22, 2024
time to close this as fixed? haven't seen another instance in months since the last fix...
from toybox.
Related Issues (20)
- env.test fails in a coverage run HOT 2
- i2cget doesn't support implicit "next" address (BUS CHIP vs BUS CHIP ADDR) HOT 27
- 0.8.9 Compile issue HOT 2
- Trying to ping anything returns "System error" HOT 2
- gzip --rsyncable HOT 5
- ls -k HOT 2
- add shuf or sort -R HOT 2
- vmstat: Bad pgpgin in /proc/vmstat: HOT 4
- stat -f -c %T /sys/fs/cgroup/memory display "unknown" instead of "cgroupfs" HOT 11
- fold: tests don't pass HOT 2
- xargs needs "--" argument stopper HOT 5
- sh: failure in cmake OS detection script HOT 14
- diff from stdin HOT 2
- find crash on invalid argument HOT 2
- Why is bash hardcoded in scripts and tests? HOT 1
- UTF-8 character support in Android's `sed` HOT 5
- tar: `--sort=name` Does not follow symlinks with `-h` HOT 1
- `xxd -p` adds an extra space at the end of each line HOT 2
- `kill` command shouldn't assume process name has no spaces in it HOT 2
- cpio does not support -L / --dereference HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from toybox.